Responding to a legal demand for data

Trigger: you or your organisation have received a court order, subpoena, law enforcement request, intelligence agency request, or regulatory demand requiring you to disclose, preserve, or provide access to data.

Do not comply without legal review. Do not delete anything. Do not tell anyone about the demand if it contains a non-disclosure obligation (many do).

This is not optional. The scope of what you are obliged to disclose, the legal validity of the demand, the jurisdiction it originates from, and whether a non-disclosure order applies are all questions that require a solicitor or equivalent legal adviser.

If your organisation has in-house legal counsel, they are the first call. If not, engage external counsel immediately. The timeframe for compliance is often tight but is rarely so short that you cannot obtain legal advice first.

Do not destroy anything

Destruction of data after receiving a legal hold notice is contempt of court or an obstruction offence in most jurisdictions. Even data you would ordinarily delete under your retention policy should be preserved once a demand has been received.

Suspend any automated deletion processes that might apply to data covered by the demand. Document the date you received the demand and the date you suspended deletion.

Assess the scope

With legal advice, determine:

  • What authority issued the demand, and do they have jurisdiction over your organisation?

  • What data does the demand cover, precisely?

  • Does it require disclosure (handing over data), preservation (keeping it but not yet disclosing), or access (allowing inspection)?

  • Does it contain a non-disclosure order preventing you from informing the data subject?

  • What is the deadline for compliance?

Demands are sometimes overbroad. Legal counsel can assess whether the scope is proportionate and, where applicable, challenge or negotiate it.

Assess notification obligations

In many EU jurisdictions, you have an obligation to inform a data subject when their data is disclosed to third parties, unless a court order specifically prohibits this notification. Intelligence and national security demands frequently include such prohibitions, often by default. Your legal adviser can confirm what applies.

If notification is permitted and required, use the process described in the breach response runbook to handle communication with affected individuals.

Respond within scope

Once you have legal advice, respond only within the scope of what is actually required. Voluntary disclosure beyond the minimum required is not obligatory and creates additional exposure.

Document what was disclosed, to whom, when, and under what authority. This documentation is important both for your legal record and for any later accountability review.

After the demand is resolved

Review whether the demand identified a data holdings gap (data you held that you should not have needed to hold) and update your data audit and retention policies accordingly. See the data audit playbook.

If the demand came as a surprise because your data map was incomplete, use it as a trigger to improve visibility into what you hold and where.